Configure Windows Defender ATP server endpoints

11/30/2017

3 minutes to read

Contributors

In this article

Applies to:

Windows Server 2012 R2

Windows Server 2016

Windows Defender Advanced Threat Protection (Windows Defender ATP)

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Click Turn on server monitoring and confirm that you'd like to proceed with the environment set up. When the set up completes, the Workspace ID and Workspace key fields are populated with unique values. You'll need to use these values to configure the MMA agent.

You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see Configure proxy settings.

Once completed, you should see onboarded servers in the portal within an hour.

Configure server endpoint proxy and Internet connectivity settings

Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.

If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:

Agent Resource

Ports

*.oms.opinsights.azure.com

443

*.blob.core.windows.net

443

*.azure-automation.net

443

*.ods.opinsights.azure.com

443

winatp-gw-cus.microsoft.com

443

winatp-gw-eus.microsoft.com

443

winatp-gw-neu.microsoft.com

443

winatp-gw-weu.microsoft.com

443

Offboard server endpoints

To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
For more information, see To disable an agent.

Note

Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.

The feedback system for this content will be changing soon. Old comments will not be carried over. If content within a comment thread is important to you, please save a copy. For more information on the upcoming change, we invite you to read our blog post.